RE: sticky sessions with tcp mode
Thanks for the response. I changed to source ip. Application seems to like it better. Lukas Tribus luky...@hotmail.com 3/21/2015 4:44 AM I am having some issues with sticky sessions. The sessions are not sticking. I am using tcp mode with ssl. I have implemented the example out of the manual. The user is getting bounced back and forth between the two servers, which is causing issues in the application. Am I missing something? Probably because TLS tickets are used instead of the SSL session ID. Either disable TLS tickets on your backend or use some other stickiness methods, like source ip stickiness. Lukas -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. “CONFIDENTIALITY AND PROPRIETARY INFORMATION NOTICE: This email, including attachments, is covered by the Electronic Communications Privacy Act (18 U.S.C. 2510-2521) and contains confidential information belonging to the sender which may be legally privileged. The information is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or the taking of any action in reliance of the contents of this information is strictly prohibited. If you have received this electronic transmission in error, please immediately notify the sender by return e-mail and delete this message from your computer or arrange for the return of any transmitted information.”
Setting compression for specific request paths
Hi, I see that we can set compression type on a frontend or backend. Due to some application level complication we want haproxy to not compress specific request path for example /api and compress the rest as usual. Any idea on how this can be done? One way would be to route the requests through a different backend and disable compression there, but that would be a ugly config to maintain. Thanks Sachin
RE: HAProxy and site failover
I have confirmed the behavior. In both cases all new connections receive a RST when a backend server is not available to service the request. The behavior is Syn - RST in both cases. Any existing connections timeout. That doesn't change the fact that an application can't do this, the TCP stack needs to do this, and HAProxy doesn't implement its own TCP stack, it leverages the TCP stack of the OS. As I said, you need external helpers to install iptables rules or something like that. The only thing an application could theoretically do, would be to close the listening socket and reopen it once the services are available again, but this introduces so much issues (for example we can't drop privileges, we can't monitor the proxy at all, we need to call the bind logic again and again, etc), that I don't think its worth the trouble. I understand that your existing (probably proprietary) load-balancing solution can do this (and it probably only can because some user presented a huge business case to that vendor), but that doesn't mean it makes sense to implement it in an a layer 4/7 reverse proxy application. Lukas
Re: HAProxy and site failover
Thank you for support, we have fixed our issues. Ha. - Original Message - From: Lukas Tribus luky...@hotmail.com To: brendan kearney bpk...@gmail.com Cc: haproxy@formilux.org Sent: Monday, March 23, 2015 5:52:48 PM Subject: RE: HAProxy and site failover I have confirmed the behavior. In both cases all new connections receive a RST when a backend server is not available to service the request. The behavior is Syn - RST in both cases. Any existing connections timeout. That doesn't change the fact that an application can't do this, the TCP stack needs to do this, and HAProxy doesn't implement its own TCP stack, it leverages the TCP stack of the OS. As I said, you need external helpers to install iptables rules or something like that. The only thing an application could theoretically do, would be to close the listening socket and reopen it once the services are available again, but this introduces so much issues (for example we can't drop privileges, we can't monitor the proxy at all, we need to call the bind logic again and again, etc), that I don't think its worth the trouble. I understand that your existing (probably proprietary) load-balancing solution can do this (and it probably only can because some user presented a huge business case to that vendor), but that doesn't mean it makes sense to implement it in an a layer 4/7 reverse proxy application. Lukas
Re: sticky sessions with tcp mode
Thank you for support, we have fixed our issues. Ha. - Original Message - From: Richard Bassler richard.bass...@rsli.com To: haproxy@formilux.org, Lukas Tribus luky...@hotmail.com Sent: Monday, March 23, 2015 9:41:01 AM Subject: RE: sticky sessions with tcp mode Thanks for the response. I changed to source ip. Application seems to like it better. Lukas Tribus luky...@hotmail.com 3/21/2015 4:44 AM I am having some issues with sticky sessions. The sessions are not sticking. I am using tcp mode with ssl. I have implemented the example out of the manual. The user is getting bounced back and forth between the two servers, which is causing issues in the application. Am I missing something? Probably because TLS tickets are used instead of the SSL session ID. Either disable TLS tickets on your backend or use some other stickiness methods, like source ip stickiness. Lukas -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. “CONFIDENTIALITY AND PROPRIETARY INFORMATION NOTICE: This email, including attachments, is covered by the Electronic Communications Privacy Act (18 U.S.C. 2510-2521) and contains confidential information belonging to the sender which may be legally privileged. The information is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or the taking of any action in reliance of the contents of this information is strictly prohibited. If you have received this electronic transmission in error, please immediately notify the sender by return e-mail and delete this message from your computer or arrange for the return of any transmitted information.”
Re[4]: HAProxy and site failover
Thank you for support, we have fixed our issues. Ha. - Original Message - From: brendan kearney bpk...@gmail.com To: Lukas Tribus luky...@hotmail.com Cc: haproxy@formilux.org Sent: Monday, March 23, 2015 2:40:57 PM Subject: Re: HAProxy and site failover I have confirmed the behavior. In both cases all new connections receive a RST when a backend server is not available to service the request. The behavior is Syn - RST in both cases. Any existing connections timeout. On Mar 21, 2015 9:11 AM, Brendan Kearney bpk...@gmail.com wrote: On Sat, 2015-03-21 at 14:03 +0100, Lukas Tribus wrote: haproxy is a tcp (layer 3/4) proxy, that can perform application (layer 7) functions. i am already doing service checks against my proxies to validate their availability. when no pool member is available, haproxy knows it. there are no external helpers needed to make this determination. the layer 7 capabilities make this possible. the injection of a RST is part-and-parcel to the tcp proxy functionality. i can understand if the functionality in not in haproxy, but it is not outside the realm of capability for a t. The 3 way TCP handshake happens before the application (haproxy) is even aware of the session, therefor this is only possible if the kernel handles it (iptables), which is why I said its only possible with external helpers. Or is what you are requesting to send a RST in the middle of an already established TCP session? Please CC the mailing list. Lukas sorry, thought i did cc the list. i will have to test out the behavior, as this is an implemented solution where i work, using other products. i can test a couple of different scenarios that come to mind. 1, new browser session comes in to the load balancer, and no backend servers are available. where / when is the RST sent? 2, a session to the load balanced exists, and the backend servers become unavailable. where / when is the RST sent? i'll run these scenarios and let you know what i find in a packet capture.
Re: HAProxy and site failover
I have confirmed the behavior. In both cases all new connections receive a RST when a backend server is not available to service the request. The behavior is Syn - RST in both cases. Any existing connections timeout. On Mar 21, 2015 9:11 AM, Brendan Kearney bpk...@gmail.com wrote: On Sat, 2015-03-21 at 14:03 +0100, Lukas Tribus wrote: haproxy is a tcp (layer 3/4) proxy, that can perform application (layer 7) functions. i am already doing service checks against my proxies to validate their availability. when no pool member is available, haproxy knows it. there are no external helpers needed to make this determination. the layer 7 capabilities make this possible. the injection of a RST is part-and-parcel to the tcp proxy functionality. i can understand if the functionality in not in haproxy, but it is not outside the realm of capability for a t. The 3 way TCP handshake happens before the application (haproxy) is even aware of the session, therefor this is only possible if the kernel handles it (iptables), which is why I said its only possible with external helpers. Or is what you are requesting to send a RST in the middle of an already established TCP session? Please CC the mailing list. Lukas sorry, thought i did cc the list. i will have to test out the behavior, as this is an implemented solution where i work, using other products. i can test a couple of different scenarios that come to mind. 1, new browser session comes in to the load balancer, and no backend servers are available. where / when is the RST sent? 2, a session to the load balanced exists, and the backend servers become unavailable. where / when is the RST sent? i'll run these scenarios and let you know what i find in a packet capture.
Re: HAProxy with multiple certificates, one of which being wild card, and the other being sub of that wildcard
Thank you for support, we have fixed our issues. Ha. - Original Message - From: Lukas Tribus luky...@hotmail.com To: Peter BUtler peter_butler1...@outlook.com, haproxy@formilux.org Sent: Sunday, March 22, 2015 6:27:15 AM Subject: RE: HAProxy with multiple certificates, one of which being wild card, and the other being sub of that wildcard I have tried this change already, by renaming them alphabetically. Didn't make any difference. It won't in 1.5.8. Only 1.5.11 respects alphabetical ordering of the certificates in a folder. Please specify them manually: crt /etc/haproxy/ssl/wildcard.mycompany.com.au.crt crt /etc/haproxy/ssl/www.secure.mycompany.com.au.crt (or vice versa, if I haven't got the problem right). You can read the RFC 2818, chapter 3.1. Server Identity for more details : http://tools.ietf.org/html/rfc2818#section-3.1 I think my issue is here, from your link: E.g., *.a.com matches foo.a.com but not bar.foo.a.com In my case I have a cert for both: *.a.com.au and bar.foo.a.com.au If those informations are correct, there is simply a bug here. The wildcard certificate should be served for secure.mycompany.com.au, not the www.secure.mycompany.com.au certificate. You are making sure that all Browsers support SNI that you test, correct (meaning no test with Internet Explorer on Windows XP)? Lukas
Mailing list unsubscription not working
All, I've tried twice in the past week to unsubscribe from the haproxy@formilux.org mailing list, but it doesn't appear to be working. Could someone look into what's wrong with the mechanism? Not that I dislike HAProxy, but there's a bit too much list traffic for my current needs :) Thanks, --Scott
Re: HAProxy and site failover
Thank you for support, we have fixed our issues. Ha. - Original Message - From: Lukas Tribus luky...@hotmail.com To: Brendan Kearney bpk...@gmail.com, haproxy@formilux.org Sent: Saturday, March 21, 2015 9:03:20 AM Subject: RE: HAProxy and site failover haproxy is a tcp (layer 3/4) proxy, that can perform application (layer 7) functions. i am already doing service checks against my proxies to validate their availability. when no pool member is available, haproxy knows it. there are no external helpers needed to make this determination. the layer 7 capabilities make this possible. the injection of a RST is part-and-parcel to the tcp proxy functionality. i can understand if the functionality in not in haproxy, but it is not outside the realm of capability for a t. The 3 way TCP handshake happens before the application (haproxy) is even aware of the session, therefor this is only possible if the kernel handles it (iptables), which is why I said its only possible with external helpers. Or is what you are requesting to send a RST in the middle of an already established TCP session? Please CC the mailing list. Lukas
Re: HAProxy and site failover
Thank you for support, we have fixed our issues. Ha. - Original Message - From: Brendan Kearney bpk...@gmail.com To: Lukas Tribus luky...@hotmail.com Cc: haproxy@formilux.org Sent: Saturday, March 21, 2015 9:11:57 AM Subject: Re: HAProxy and site failover On Sat, 2015-03-21 at 14:03 +0100, Lukas Tribus wrote: haproxy is a tcp (layer 3/4) proxy, that can perform application (layer 7) functions. i am already doing service checks against my proxies to validate their availability. when no pool member is available, haproxy knows it. there are no external helpers needed to make this determination. the layer 7 capabilities make this possible. the injection of a RST is part-and-parcel to the tcp proxy functionality. i can understand if the functionality in not in haproxy, but it is not outside the realm of capability for a t. The 3 way TCP handshake happens before the application (haproxy) is even aware of the session, therefor this is only possible if the kernel handles it (iptables), which is why I said its only possible with external helpers. Or is what you are requesting to send a RST in the middle of an already established TCP session? Please CC the mailing list. Lukas sorry, thought i did cc the list. i will have to test out the behavior, as this is an implemented solution where i work, using other products. i can test a couple of different scenarios that come to mind. 1, new browser session comes in to the load balancer, and no backend servers are available. where / when is the RST sent? 2, a session to the load balanced exists, and the backend servers become unavailable. where / when is the RST sent? i'll run these scenarios and let you know what i find in a packet capture.
Re: HAProxy with multiple certificates, one of which being wild card, and the other being sub of that wildcard
Thank you for support, we have fixed our issues.
Ha.
- Original Message -
From: Peter BUtler peter_butler1...@outlook.com
To: haproxy@formilux.org
Sent: Sunday, March 22, 2015 1:15:07 AM
Subject: Re: HAProxy with multiple certificates, one of which being wild card,
and the other being sub of that wildcard
forgot to CC the mailing list.
thanks Cryil.
Date: Fri, 20 Mar 2015 00:47:53 +0100
From: cyril.bo...@free.fr
To: peter_butler1...@outlook.com; haproxy@formilux.org
Subject: Re: HAProxy with multiple certificates, one of which being wild
card, and the other being sub of that wildcard
Hi Peter,
Le 20/03/2015 00:32, Peter Butler a écrit :
I logged this on stackoverflow
(http://stackoverflow.com/questions/29133477/haproxy-with-multiple-certificates-one-of-which-being-wild-card-and-the-other),
but HAProxy usage there is pretty low.
THis is my first mailing list email in years, please let me know if I
have broken any rules.
I have HAProxy working pretty well, I have port 80 and 443 open, TCP
over 443 over a internal proxy. HTTPS end to end. I am serving
certificates: *.mycompany.com.au www.secure.mycompany.com.au
SNI does not seem to be working, as when I go to
secure.mycompany.com.au, I keep getting the www.secure.mycompany.com.au
certificate (and weirdly *most* browsers do not throw a error). But when
I go to mail.mycompany.com.au I get the *.mycompany.com.au certificate
correctly.
Indeed, keep in mind that a wildcard certificate works only for
subdomains, not sub-subdomains.
this is fine, and as mentioned its working great for my other wild card certs,
but the difference is they do not have a specific.sub-
which-is-the-same-as-a-wildcard .mycompany.com.au
(am I believe the blod part is my issue here.
So www.secure.mycompany.com.au won't match the *.mycompany.com.au
wildcard certificate. As no certificate matches the hostname, the first
one loaded is applied. I guess that in your SSL directory, the
certificate file for secure.mycompany.com.au is listed first.
I have tried this change already, by renaming them alphabetically. Didn't make
any difference.
You can read the RFC 2818, chapter 3.1. Server Identity for more details :
http://tools.ietf.org/html/rfc2818#section-3.1
I think my issue is here, from your link:
E.g., *.a.com matches foo.a.com but not bar.foo.a.com
In my case I have a cert for both:
*.a.com.au
and
bar.foo.a.com.au
If I remove the www.secure.mycompany.com.au cert from the SSL directory,
and I browse to secure.mycompany.com.au I get the correct certificate,
but of course when I go to www.secure.mycompany.com.au, I get a error on
the browser, as it tries to give me *.mycompany.com.au certificate.
It tends to confirm this : the wildcard still doesn't match, and the
first certificate is applied (which in this case is by chance the
wildcard). I you insert a fake certificate before the wildcard, I'm sure
it will be this one that will match.
Can anyone see what I am doing wrong please.
|By the way, I also have a *.abc.def.mycompany.com.au and
*.def.mycompany.com.au in this same config (removed from below, but in same
syntax). and they are working perfect.|
||
|haproxy -version
HA-Proxy version 1.5.8 2014/10/31
Copyright 2000-2014 Willy Tarreau w...@1wt.eu
##|
|##|
|##
global
daemon
user haproxy
group haproxy
log /dev/log local0 info
log /dev/log local0 notice
ulimit-n 2
pidfile /var/run/haproxy.pid
tune.ssl.default-dh-param 2048
##
## Port80 is open only to forward all requests to port 443.
frontend unsecure 123.123.123.155:80 #Prod
bind 192.168.14.155:80 #Prod
mode http
redirect scheme https code 301 if !{ ssl_fc }
##
##Listen on 443, and forward to internal proxy on 88. Needed for SSL end to
end.
listen ssl-proxy
##Only accept mycompany host headers
http-request deny if !{ hdr_end(Host) -i mycompany.com.au } !{
hdr_end(Host) -i www.secure.mycompany.com.au }
# Get Certificates from SSL directory.
bind 123.123.123.155:443 ssl crt /etc/haproxy/ssl npn http/1.1 ciphers
ECDHE-RSA-AES256-SHA:RC4-SHA:!RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM no-sslv3
bind 192.168.14.155:443 ssl crt /etc/haproxy/ssl npn http/1.1 ciphers
ECDHE-RSA-AES256-SHA:RC4-SHA:!RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM no-sslv3
mode tcp
server http 127.0.0.1:88 send-proxy
Re: 503 on alive backends, hanging processes on reload
Thank you for support, we have fixed our issues. Ha. - Original Message - From: Jeff Mitchell jeffrey.mitch...@gmail.com To: haproxy@formilux.org Sent: Friday, March 20, 2015 6:11:14 PM Subject: 503 on alive backends, hanging processes on reload I'm running haproxy 1.5.11-1ppa1~trusty from https://launchpad.net/~vbernat/+archive/ubuntu/haproxy-1.5 on Trusty (Ubuntu 14.04). It is a fairly basic configuration that mostly comes straight from the defaults: global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin stats timeout 30s user haproxy group haproxy daemon # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private # Default ciphers to use on SSL-enabled listening sockets. # For more information, see ciphers(1SSL). ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL ssl-default-bind-options no-sslv3 defaults log global mode http option httplog option dontlognull maxconn 1024 timeout queue 5000 timeout connect 5000 timeout client 5 timeout server 5 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http frontend ft_poml_vip bind :80 acl host_apibrowse hdr_beg(host) -i apibrowse use_backend be_apibrowse if host_apibrowse backend be_apibrowse server registry 10.88.24.3:49163 I also have several more ACLs and backends that are not shown, but follow the exact same pattern as above (with different host header matching). The main differences from the default are maxconn/timeout queue, both of which I set to try to solve this problem, and my simple frontend/backend. After a time, calls from a web browser to haproxy are sometimes, but not always, being given 503 errors. When I see this happening, if I sit on a very simple page and refresh rapidly, I will sometimes get 503s and sometimes not. I turned off health checks to ensure that failing health checks were not the source of the 503s. What I have noticed is some oddness with the haproxy processes. Here is date and ps -ef output when I am seeing this behavior: Fri Mar 20 21:55:38 GMT 2015 haproxy 19621 1 0 17:35 ? 00:00:00 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /var/run/haproxy.pid -D -sf 19599 haproxy 20075 1 0 20:50 ? 00:00:00 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /var/run/haproxy.pid -D -sf 20063 haproxy 20121 1 0 20:50 ? 00:00:00 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /var/run/haproxy.pid -D -sf 20112 service haproxy reload has been called at various times when the backends have come and gone and the config file has been rewritten, including at 17:35 and 20:50. When haproxy is in this state, service haproxy stop does not stop all processes: # service haproxy stop * Stopping haproxy haproxy [ OK ] # ps -ef | grep haproxy haproxy 19621 1 0 17:35 ? 00:00:00 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /var/run/haproxy.pid -D -sf 19599 haproxy 20075 1 0 20:50 ? 00:00:00 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /var/run/haproxy.pid -D -sf 20063 If I then start the service again, those same processes run, but with a new one: # ps -ef | grep haproxy haproxy 19621 1 0 17:35 ? 00:00:00 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /var/run/haproxy.pid -D -sf 19599 haproxy 20075 1 0 20:50 ? 00:00:00 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /var/run/haproxy.pid -D -sf 20063 haproxy 20395 1 0 22:04 ? 00:00:00 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -D -p /var/run/haproxy.pid When I run service haproxy stop and then manually kill any remaining processes, and then run service haproxy start, I get just the one process: # ps -ef | grep haproxy haproxy 20443 1 0 22:05 ? 00:00:00 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -D -p /var/run/haproxy.pid At this point I do *not* get the 503 errors. Everything runs great until the cycle repeats itself. It feels like this is some issue with haproxy reloading. It is possible that reload was called multiple times rapidly when being performed by the automated system, but in my testing if I call it very rapidly from the command line I haven't been able to replicate the issue. Any help would be much appreciated. Thanks! --Jeff
Re: HAProxy and site failover
Thank you for support, we have fixed our issues. Ha. - Original Message - From: Brendan Kearney bpk...@gmail.com To: haproxy@formilux.org Sent: Friday, March 20, 2015 8:29:07 PM Subject: HAProxy and site failover hi, first time / long time... i am wondering if the ability exists in HAProxy to reply to a HTTP proxy request with a reset (RST) if no backend server is available. the scenario goes as such: i have a proxy pac file that assigns multiple proxies to all clients, and through the logic tree in the pac file, the proxies are assigned in a specific order. i have multiple sites with load balanced proxies, and the intention is to provide site failover, should a larger event occur like ISP issues that breaks internet access. with the pac file assigning all proxy VIPs to the client, should the default VIP not have an available backend server to fulfill the request, i would want to configure HAProxy to send a reset to the client, indicating that the next assigned proxy should be used. with site failover happening transparently, a user who would normally browse through the proxy/proxies at site1 would be automatically failed over and browse through the proxy/proxies at site2. if no servers were available in site2, then the next assigned proxy would be used and failures with RST replies would result in failovers until all assigned proxies are exhausted. the intention is not to provide / assign hundreds of proxies in the pac file, but to provide resiliency with a couple of sites serving as backups to each other, should an event warrant it. thank you, brendan kearney
Re: sticky sessions with tcp mode
Thank you for support, we have fixed our issues. Ha. - Original Message - From: Richard Bassler richard.bass...@rsli.com To: haproxy@formilux.org Sent: Friday, March 20, 2015 10:27:33 PM Subject: sticky sessions with tcp mode I am having some issues with sticky sessions. The sessions are not sticking. I am using tcp mode with ssl. I have implemented the example out of the manual. The user is getting bounced back and forth between the two servers, which is causing issues in the application . Am I missing something? HA-Proxy version 1.5.2 2014/07/12 frontend pc bind 192.168.10.72:443 mode tcp option tcplog default_backend pc backend pc mode tcp balance roundrobin stick-table type binary len 32 size 30k expire 30m acl clienthello req_ssl_hello_type 1 acl serverhello rep_ssl_hello_type 2 tcp-request inspect-delay 5s tcp-request content accept if clienthello tcp-response content accept if serverhello stick on payload_lv(43,1) if clienthello stick store-response payload_lv(43,1) if serverhello server r15-21 192.168.10.21:443 check server r16-22 192.168.10.22:443 check “CONFIDENTIALITY AND PROPRIETARY INFORMATION NOTICE: This email, including attachments, is covered by the Electronic Communications Privacy Act (18 U.S.C. 2510-2521) and contains confidential information belonging to the sender which may be legally privileged. The information is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or the taking of any action in reliance of the contents of this information is strictly prohibited. If you have received this electronic transmission in error, please immediately notify the sender by return e-mail and delete this message from your computer or arrange for the return of any transmitted information.”
Re: OCSP stappling full support
Thank you for support, we have fixed our issues. Ha. - Original Message - From: Pierre Ozoux pie...@ozoux.net To: haproxy@formilux.org Sent: Friday, March 20, 2015 11:59:16 AM Subject: OCSP stappling full support Hi, HAProxy provides OCSP stapling since v1.5 and this is nice! Although, it is still difficult to setup compared to Apache or Nginx. I had to do this little script: https://wiki.mozilla.org/Talk:Security/Server_Side_TLS#OCSP_in_HAProxy It would be really nice if it was as easy as Apache and Nginx. Is it planned in the roadmap? Thanks a lot for your work, Pierre -- I use PGP to protect our privacy, if you want to know more, you can follow this https://emailselfdefense.fsf.org/en/ If you have further questions, please do not hesitate to ask. You can verify my public key here: https://keybase.io/pierreozoux
Re: Setting compression for specific request paths
Thank you for support, we have fixed our issues. Ha. - Original Message - From: Sachin Shetty sshe...@egnyte.com To: haproxy@formilux.org Sent: Monday, March 23, 2015 3:38:53 AM Subject: Setting compression for specific request paths Hi, I see that we can set compression type on a frontend or backend. Due to some application level complication we want haproxy to not compress specific request path for example /api and compress the rest as usual. Any idea on how this can be done? One way would be to route the requests through a different backend and disable compression there, but that would be a ugly config to maintain. Thanks Sachin
Re: Attached: May you support me for this issue logs of HAProxy
Thank you for support, we have fixed our issues. Ha. - Original Message - From: Ramin K ramin-l...@badapple.net To: Ha Quan Le nlp...@shaw.ca, haproxy@formilux.org Sent: Friday, March 20, 2015 6:56:59 PM Subject: Re: Attached: May you support me for this issue logs of HAProxy Loads simpler to do the following: ## /etc/haproxy/haproxy.cfg global log /dev/log local0 notice ## /etc/rsyslog.d/49-haproxy.conf # Create an additional socket in haproxy's chroot in order # to allow logging via /dev/log to chroot'ed HAProxy processes $AddUnixListenSocket /var/lib/haproxy/dev/log # Send HAProxy messages to a dedicated logfile if $programname startswith 'haproxy' then /var/log/haproxy.log ~ I believe most of the above is included in Vincent Bernat's very nice Ubuntu/Debian packages, https://launchpad.net/~vbernat Ramin
RE: Mailing list unsubscription not working
I've tried twice in the past week to unsubscribe from the haproxy@formilux.orgmailto:haproxy@formilux.org mailing list, but it doesn't appear to be working. By writing to haproxy+unsubscr...@formilux.org, right?
Re: Mailing list unsubscription not working
Yup! --Scott On Mon, Mar 23, 2015 at 7:06 PM, Lukas Tribus luky...@hotmail.com wrote: I've tried twice in the past week to unsubscribe from the haproxy@formilux.orgmailto:haproxy@formilux.org mailing list, but it doesn't appear to be working. By writing to haproxy+unsubscr...@formilux.org, right?
Make your work efficient- portable visualize
= DearSir, Goodday! Iamgladtoemailtoyou=again.ThisweekIwillrecommendourpatentproductofportablevisu=alizertoyou.IamLindafromTechlandElectronicsCoLtd.locatedin=Guangzhou,China. Wea=realeadingmanufacturerofeducationalequipmentinChina. WeproduceAudioVisualproducts=andspecializeineducationmarket.Youcangetmoreinformationfrom=ourwebsiteofwww.dineng.net . Ourmainproductsareasfoll=ows, bull;Tou=chscreenall-in-onePC bull;Doc=umentcamera bull;Des=ktop/Portablevisualiser bull;Int=eractivewhiteboard bull;Mul=ti-mediaAllinonePCThisportablevisualizer=isoneofourthirdgenerationvisualize,itrsquo;sourownpatentde=signforappearance,ithas5megapixel,hasmoreportsforhumanized=design,suchlikeVGAinput/output,HDMI,Vedio,USBetc..Itlooksh=igh-endproduct.Fromoursalesdata,it'sverypopular.= Pleasekindlyreviewbelowimages,andifyou needfu=rtherinformation,productpricingorwanttoseeasamplepleasedon'=thesitatetocalloremailme.= nbsp=;= Lookingforwardto=yourearlyresponses,thankyou.Ifyoulike,wecanchooseasuitableoneforyou! nbs=p; =20BestRegards Salesmanager=/LindaGuo=20=nbsp;TechlandInternationalLimitedAdd.:6F-1,Bldg1,HongmingRd.,271,EastdistrictofEco=nomic andTechnologicalDeve=lopmentZone,GuangzhouMobile:008615814231628Tel.:0086-20-32052647ext.864Fax:0086-20-32052646=Email: linda_techland@sina.comSkype:linda.guo427Wechat/QQ:376278222ICQ:652064181 n=bsp;Website:http://www.dineng.net
